How to
Jack Danahy
Oct 2015

Real Cybersecurity Awareness: Repeating Ourselves is Not Enough

Photo by Source

Let's take time this October to transform cybersecurity from an abstract concern to a real and positive responsibility we all share with one another.

As we head deeper into October and National Cyber Security Awareness month, I’m already starting to see the messages about longer passwords and more frequent software updates, about user education and even more monitoring. These messages are all fine and good, but against the stark backdrop of the reality we’re facing — the increasing number of data breaches, millions of personal records lost or compromised, attackers operating at speeds security can’t match  — they can come across as pale and perfunctory.

Don’t get me wrong, I think the intent behind these messages is well-meaning, but I can’t help feeling like October has now settled into “National Cyber Security Basic Hygiene Awareness Month”. Considering everything we’re up against, and the potential we actually do have to make a very real difference, that’s disappointing.

Basic Security Hygiene Tips Won’t Help Us Actually Care

To inject some more interest and impact into this month, I recommend we direct our passion and our messages to raising a more substantial and transformational kind of awareness: the awareness that we all have both the power and the responsibility to protect the security of this integrated cyber environment we live in.

Establishing that awareness is the first step in cultivating something that’s been painfully absent from the majority of our relationships with cybersecurity — the crucial sense of personal ownership and empowerment that serves as the foundation for any meaningful growth and change.

Yes, this may seem like quite a leap from passing along simple password tips, but stepping back and taking this approach can be far more effective in the long run.

As security awareness advocates, it’s our job not only to help protect others from attacks, but to teach them how to protect themselves (tweet this).

I think that really starts with us discussing, understanding, and embracing our roles. 

Owning Our Roles (& Understanding Why They’re Important)

We each play multiple roles in our pervasively internetworked world. In each of these roles, we deal with organizations and individuals on a variety of levels — as consumers, employees and team members, and as friends and family members.

When we stop to think about these different relationships and roles, we can begin to personalize the impact of decisions we make. That’s how you successfully turn abstract concepts into scenarios that actually hit home. And as security advocates isn’t that the name of the game? Helping others develop a sense of personal responsibility can be a much stronger means of encouraging the development of better user behaviors.

Let’s take a closer look at each of the primary roles we play in developing and strengthening cybersecurity, along with a few examples of ways we can encourage each other to fully embrace and leverage them.   

1) Our Role as Consumers: Letting Companies Know We Value Security

Firstly, we are all consumers. We consume products, services, data, and media from myriad sources, both in our professional and personal lives, and in our homes, our offices, on our computers, our phones, and in our cars.

We need to think about our technology purchases with an eye towards some of the same values that we apply in the physical world.  If we get food poisoning from a restaurant, we will not be back, but we continue to use products and frequent vendors whose products or services are demonstrated to be vulnerable.  We look for consumer safety reports for our cars and appliances, but we download applications with little concern for their origin or intent.  When we do these things, we diminish the value of providers investing in better security, and we reward the current apathy of the others.

We need to add security to our list of criteria for what we buy and use, and we need to make it clear that blatant insecurity is a sufficient reason to go buy somewhere else.

2) Our Role as Employees and Community Members: We’re Only as Strong as Our Weakest Link

Outside of browsing online, the bulk of our online interactivity occurs at work or through an organization (school, club, etc.) where we regularly interact with other members. Communities naturally create a sense of trust, but unfortunately, this trust is often abused by both active and automated attackers. Once they corrupt an account, they then leverage the trusted relationships held by that account to further expand their reach.  

As employees and members of these networks, we have a responsibility to be careful about what risks we choose to pose to the rest of these communities. If I use my machine on a sketchy public network, and then I plug it into my corporate LAN, then I am responsible for transferring any technical pathogens I may have caught. If I allow the credentials for my social networking account to be stolen or guessed, then I am responsible for exposing my colleagues to the masquerading advances of the attacker.

We need to remember that in this dynamic and network-enabled infrastructure, the decisions we make for ourselves can easily become decisions we make for our companies and our colleagues.

3) Our Role as Friends and Family Members: Safekeeping Our Information and Theirs

Our constant interaction with our friends and family through our many devices has drastically reduced our natural distrust of the information that is served to us. Whether our desktops, laptops, or mobile devices, many people see their interaction as direct and unobserved when they share their experiences and emotions online. As a result, we need to be particularly responsible about our behavior because our own loss of control over our systems to an attacker means that we have also lost control of the secrets that others share with us.

Few of us would shout out a secret in a crowded room instead of whispering it, but that is effectively what we’re doing when our systems become corrupted by a wide variety of malware.  We need to be conscious of our habits because those we care about trust us (and therefore our devices) to be true to their confidences.

Bringing it Home

This kind of awareness doesn’t change the basic hygienic components of better cybersecurity behavior. We all still need to use stronger passwords and regularly apply software patches and updates. It does, however, make it more likely that people will pay attention and actually modify their behavior. Take time this October to transform security from an abstract concern to a real and positive responsibility we all share with one another. Discussing each of our roles and the impact we have on others is a fantastic way to start.
 

Photo by: Billy Onjea

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.